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Abstract 

We show that every construction of one-time signature schemes from a random oracle achieves 
black-box security at most 2'^+°^^^^^, where q is the total number of oracle queries asked by the 
key generation, signing, and verification algorithms. That is, any such scheme can be broken with 
probability close to 1 by a (computationally unbounded) adversary making 2^^+°^^-'-''' queries 
to the oracle. This is tight up to a constant factor in the number of queries, since a simple 
modification of Lamport's one-time signatures (Lamport '79) achieves 2(°-^i2~°(i)^'? black-box 
security using q queries to the oracle. 

Our result extends (with a loss of a constant factor in the number of queries) also to the ran- 
dom permutation and ideal-cipher oracles. Since the symmetric primitives (e.g. block ciphers, 
hash functions, and message authentication codes) can be constructed by a constant number of 
queries to the mentioned oracles, as corollary we get lower bounds on the efficiency of signature 
schemes from symmetric primitives when the construction is black-box. This can be taken as 
evidence of an inherent efficiency gap between signature schemes and symmetric primitives. 

1 Introduction 

Digital signature schemes allow authentication of messages between parties without shared keys. 
Signature schemes pose an interesting disconnect between the worlds of theoretical and applied 
cryptography. From a theoretical point of view, it is natural to divide cryptographic tools into 
those that can be constructed using one-way functions and those that are not known to have 
such constructions. Signature schemes, along with private key encryption, message authentication 
codes, pseudorandom generators and functions, belong to the former camp. In contrast, the known 
constructions of public key encryption are based on structured problems that are conjectured to be 
hard (i.e., problems from number theory or the theory of lattices). From a practical point of view, 
it is more natural to divide the tools according to the efficiency of their best known constructions. 
The division is actually similar, since schemes based on structured problems typically require both 
more complicated computations and larger key size, as they often have non-trivial attacks (e.g., 
because of the performance of the best known factoring algorithms, to get 2" security based on 
factorization one needs to use Cl{n^) bit long integers). 
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Signature schemes are outlier to this rule: even though they can be constructed using one-way 
functions, applied cryptographers consider them as relatively inefficient since practical construc- 
tions are based on structured hard problems, and thus are significantly less efficient than private key 
encryption, message authentication codes, pseudorandom functions etc... In particular, very high 
speed applications shun digital signatures in favor of message authentication codes even though 
the latter sometime incur a significant cost in keeping shared private keys among the entities in- 
volved (e.g., see (PCSTOOj and the references therein). The reason is that known constructions of 
such schemes from one-way functions or other unstructured primitives are quite inefficient. This 
problem already arises in one-time signatures [Rab78l ILam79[ IMer87] . that are a relaxation of 
digital signatures offering security only in the case that the attacker observes at most a single valid 
signature. The best known constructions for this case require Q{k) invocations of the one-way 
function (or even a random oracle) to achieve 2^ security. In contrast, there are known construc- 
tions of message authentication codes, private key encryptions, and pseudorandom generators and 
functions that use only 0(1) queries to a random oracle. 

In this paper, we study the question of whether there exist more efficient constructions of 
signature schemes from symmetric primitives such as hash functions and block ciphers. We show 
to a certain extent that the inefficiency of the known constructions is inherent. 

1.1 Our results 

We consider the efficiency of constructions of one-time signatures using black boxes / oracles that 
model ideal symmetric primitives: the random oracle, the random permutation oracle, and the ideal 
cipher oracle (see Section [3] for definitions). We wish to study the security of such constructions as 
a function of the number of queries made to the oracle by the construction (i.e., by the generation, 
signing, and verification algorithms). Of course, we believe that one-time signatures exist and so 
there are in fact signature schemes achieving super-polynomial security without making any query 
to the oracle. Hence we restrict ourselves to bounding the black-box security of such schemes. We 
say that a cryptographic scheme using oracle O has black-box security S if for every 1 < T < 5, 
a (potentially computationally unbounded) adversary that makes at most T queries to O cannot 
break the scheme with probability larger than T/S (see Definition 13. 6p . Our main result is the 
following: 

Theorem 1.1. Any one-time signature scheme for n-bit messages using at most q < n queries to 
a random oracle has black-box security at most 2^^^°^^'^^'^ where o(l) goes to zero with q. 

This is in contrast to other primitives such as message authentication codes, collision resistant 
hash functions, private-key encryption, and pseudorandom functions, that can all be implemented 
using one or two queries to a random oracle with black-box security that depends exponentially 
on the length of these queries. We note that Theorem 11.11 is tight up to a constant factor in the 
number of queries, since a simple modification of Lamport's scheme |Lam79j yields 2^""°^^^^'^ black- 
box security, where a ~ 0.812 is equal to H{c)/{1 + c), where H is the Shannon entropy function 
and c = (3 — \/5)/2 (see Section [5]). We also prove several extensions of the main result: 

Other oracles. Since our goal is to find out whether signatures can be efficiently constructed 
from symmetric primitives, it makes sense to study also other primitives than the random 

^In contrast to digital signatures that have a pubhc verification key and secret signing key, message authentication 
codes have a single key for both verification and signing, and hence that key must be kept private to maintain security. 
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oracle. Theorem 11.11 extends (with a loss of a constant factor in the number of queries) to the 
ideal cipher oracle and random permutation oracle that are also sometimes used to model the 
idealized security of symmetric primitives such as block ciphers and one-way permutations. 

Implementing adversary in BPP'^^. The proof of Theorem 11.11 shows that for every g-query 
one-time signature scheme for {0, 1}" from random oracle, there is an adversary that breaks 
it with probability close to 1 using at most poly{q)2'' queries. However, the running time of 
this adversary can be higher than that. This is inherent, as otherwise we would be proving 
unconditionally the non-existence of one-time signature schemes. However, we show that 
this adversary can be implemented in probabilistic polynomial-time using an oracle to an 
NP-complete problem. Thus, similar to what Impagliazzo and Rudich [ IR89j showed for 
key-exchange, if there were a more efficient construction of signature schemes from random 
oracles with a proof of security relying on the adversary's efficiency, then this is also a proof 
that P / NP. 

Imperfect completeness. While the standard definition of signature schemes requires the verifier 
to accept valid signatures with probability 1, one can also consider relaxed variants where the 
verifier has some small positive probability of rejecting even valid signatures. We say that 
such signature schemes satisfy imperfect completeness. We can extend Theorem 11.11 to this 
case, though to get an attack succeeding with high probability we lose a quadratic factor in 
the number of queries. 

Efficiency of the verifier. Because the signing and the verification algorithms are executed more 
often than the key generation algorithm, it makes sense to study their efficiency separately 
rather than just studying the total number of queries. Although in the construction for 
signature schemes that we will see later (see Section [5]) , the signing algorithm asks only one 
oracle query and the total number of queries is optimal up to a constant factor, the question 
about the efficiency of the verifier still remains. We show that (keeping the number of signing 
queries fixed to one) there is a tradeoff between the number of queries asked by the verification 
algorithm and the total number of queries, conditioned on getting certain black-box security. 

Black-box constructions. As mentioned above, all the symmetric primitives can be constructed 
from random oracle, random permutation oracle, or ideal cipher oracle by only 0(1) queries 
and get exponential security over the length of the queries. Therefore, our lower bounds on 
signatures from ideal oracles yield as corollaries lower bounds on the efficiency of signatures 
from symmetric primitives when the construction is black box. This holds even when the 
one-way permutation used in the construction has n/2 hardcore bits. The latter answers a 
question raised by [G GKT05] . Our results reject the existence of black-box constructions 
unconditionally (similar to [HHRS07] . while the results of [GGKTOS] show the existence of 
one-way function as a consequence. We prove the strongest possible form of lower bound on 
the efficiency of black box constructions of signatures from symmetric primitives. Namely, 
we show that black-box constructions of signature schemes for n-bit messages based on ex- 
ponentially hard symmetric primitives of security parameter n, need to make at least ^l{n) 
calls to the primitive. 

Note on the random oracle model. Although the random oracle model |BR93j (and its cousin 
the ideal cipher model) is frequently used as an idealization of the properties enjoyed by certain 
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constructions such as the SHA-1 hash function |Nat95j and the AES block cipher |DR02] . it has 
drawn a lot of criticism as this idealization is not generally justified |CGH98) . However, for the 
sake of lower bounds (as is our concern here) this idealization seems appropriate, as it is a clean 
way to encapsulate all the attractive properties that could be obtained by constructions such as 
SHA-1,AES, etc.. 

Taxonomy of black-box reductions. Reingold, Trevisan and Vadhan |RTV04| study various 
notions of "black-boxness" of security proofs in cryptography according to whether a construction 
of a cryptographic tool based on an underlying primitive uses this primitive as a black box, and 
whether its security proof uses the adversary as a black box. Those definitions are not in the 
oracle model that we are concerned here. They call a construction for primitive A from primitive 
B black-box, if the implementation of A uses i? as a black box. The security reduction which 
converts an adversary for the implementation of A to an adversary for B could have different levels 
of being black box[l. However, in the oracle based constructions studied here, the implementation 
reduction is always forced to be black-box, and for the proof of security, there is no security 
measure defined for the primitive used (i.e. the oracle) to which we could reduce the security of our 
construction. One common way to prove security for oracle based constructions is to rely on the 
statistical properties of the oracle and show that any (even computationally unbounded) adversary 
breaking the implementation needs to ask many queries from the oracle. This gives a quantitative 
security guarantee and is called a black-box proof of security in the oracle model. A non-black-box 
proof of security in this model, is a proof showing that any adversary who runs in time poly(n, T) 
where n is the input length and T the number of oracle queries it asks, needs to ask many queries 
from the oracle. In this work, we give a lower bound on the number of queries needed to get 
black-box security S for one-time signatures in various ideal oracle models, and also show that if 
P = NP, then this bound holds for non-black-box proofs of security as well. We note that if one-way 
functions exist, then there do exist constructions making no query to the random oracle with super- 
polynomial non-black-box security. As we mentioned before, our lower bounds in the ideal oracle 
models yield some lower bounds on the efficiency of one-time signatures from symmetric primitives 
in the standard model of |RTV04| . We also note that there do exist cryptographic constructions 
that use the primitive [GMW861 IGMW87] or the adversary [BarOl] in a non-black-box way, but 
at the moment all of the known highly efficient cryptographic constructions (e.g., those used in 
practice) are black box, in the sense that if they use a generic underlying primitive (i.e., not based 
on specific problems such as factoring) then it's used as a black-box and if they have a proof of 
security then the proof treats the adversary as a black box. 

1.2 Prior work 

To the best of our knowledge, this is the first lower bound on the number of random oracle queries 
needed to construct signature schemes. Starting with the seminal paper of Impagliazzo and Rudich 
|IR89| , that showed that there is no construction of a key exchange protocol from a random oracle 
with super-polynomial black-box security, and therefore rejecting black-box constructions of key 
exchange protocols from one-way function, several works have investigated the existence of black- 
box constructions reducing one kind of cryptographic scheme to another. However, only few works 

^It could be fully black-box, semi black-box, or non-black-box, and if the implementation reduction is black box, 
the whole construction is called, (resp.) fully black-box, semi black-box, or weakly black-box. 
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studied the efficiency of such constructions |KST991 IGGKT05] . Of these, the most relevant is 
the paper by Gennaro, Gertner, Katz, and Trevisan |GGKT05] . They considered the efficiency of 
basing various cryptographic primitives on one-way permutations (OWP) secure against S'-sized 
circuits, and proved that to achieve super-polynomial security (1) pseudorandom generators with 

1 bits of stretch require Q{i/\ogS) invocations of the OWP, (2) universal one-way hash functions 
compressing their input by i bits require log S) invocations, (3) private key encryption schemes 
for messages of length n with key length k require J7((n — k)/ log S) invocations, and (most relevant 
for us) (4) one-time signature schemes for n-bit messages require 0,{n/logS) invocations!! 

However, the one-way permutation oracle used by [GGKT05] was very far from being a random 
oraclelll Indeed, the applications (1), (2), and (3) can be implemented using only a constant 
number of calls to a random oracle, and correspondingly are considered to have efficient practical 
implementations. Thus, [GGKTOS] did not answer the question of whether signature schemes can 
be efficiently constructed from efficient symmetric key primitives such as hash functions and block 
ciphers. It is this question that we are concerned with in this paper. Thus, on a technical level 
our work is quite different from [GGKT] (as we work with a random oracle and cannot "tamper" 
with it to prove our lower bound) and in fact is more similar to the techniques in the original 
work of Impagliazzo and Rudich |IR89] . We note that this work partially answers a question 
of [GGKT05] . as it implies that any black-box construction of one-time signatures from one-way 
permutation p : {0,1}"" i-^ {0,1}" with even n/2 hard-core bits requires at least Q{n) queries to 
the permutation. 

Several works |Mer87[ IEGM891 IVau92[ IBM941 IBM96] considered generalizations of Lamport's 
one-time signature scheme. Some of these achieve shorter keys and signatures, although their 
relation between the number of queries and security (up to a constant factor) is at most a constant 
factor better than Lamport's scheme (as we show is inherent). 

2 Our techniques 

We now give a high level overview of the ideas behind the proof of Theorem 11.11 Our description 
ignores several subtle issues, and the reader is referred to Section 2] for the full proof. To understand 
the proof of the lower boundU it is instructive to review the known upper bounds and in particular 
the simple one-time signature scheme of Lamport |Lam79] . To sign messages of length n with 
security parameter £ using a random oracle O (that we model as a random function from {0,1}^ 
to {0, 1}^) the scheme works as follows: 

• Generate the public verification key VK by choosing 2n random strings {x^}i(z[n],be{o,i} 
{0, 1}^ and setting VK to be the sequence {yi}i£[n],be{o.i} for Ui = C'(x^). 

• To sign a message a G {0,1}", simply reveal the preimages in the set {a^^ }je[n],fee{o,i} that 
correspond to the bits of a. That is, the signature is . . . 

• The verifier checks that indeed 0{x°'^) = y"* for every i £ [n]. 
^Otherwise, we can construct a one-way function directly. 

^They considered an oracle that applies a random permutation on the first t bits of its n-bit input, for t <^ n, and 
leaves the rest of the n — t bits unchanged. This is a one-way permutation with 2^'-'' security. 

^We use the terms "lower bound" and "upper bound" in their traditional crypto/complexity meaning of negative 
results vs. positive results. Of course one can view Theorem 11.11 as either upper-bounding the security or lower- 
bounding the number of queries. 
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This scheme uses 3n queries. It can be shown that it has 2^^^^ security. Note that in this case 
the security can be arbitrarily large independently of the number of queries. Indeed, note that 
Theorem 11.11 requires that the number of queries q is not larger than the length of the messages 
to be signed. Lamport's scheme can be easily modified to work for unbounded size messages by 
following the well known "hash-and-sign" paradigm: first use the random oracle to hash the message 
to length k, and then apply Lamport's scheme to the hashed value. This will result in a scheme 
with 3k + 2 queries and (by the birthday bound) 2^/^ black-box security (see Section [5] for some 
improvements). We see that now indeed the security is bounded by 2'^^'^^ (where q = 3k + 2 is the 
number of queries), regardless of the length i of the queries. 

The above discussion shows that to prove Theorem I l.H we will need to use the fact that there 
is a large number of potential messages, which is indeed what we do. Note that the reason that the 
hash-and-sign variant of Lamport's scheme only achieves 2'^/^ security is that if a pair of messages 
a,P satisfies Ok{a) = Ok{(3) (where Ok{x) denotes the first k bits of 0(x)), then they have the 
same signature, and so a signature for a allows an adversary to forge a signature on (3. We will 
try to generalize this observation to arbitrary signature schemes. For every such scheme S and two 
messages a,/3 (after fixing the oracle and the randomness of the system), we will say that "a is 
useful for /?" if they satisfy a certain condition. Then (roughly speaking) we will prove that: (A) 
if a is useful for (3 then a signature on a can be used to compute a signature on /? by asking at 
most 2*^*^*^ oracle queries (where q is the total number of queries made by the scheme S), and (B) 
if a and (5 are chosen at random from a large enough space of messages, then a will be useful for [5 
with probability at least 2^'~"^'^\ Together (A) and (B) imply that, as long as the space of possible 
messages is large enough, then the black-box security of S is bounded by 2^^'^\ since the adversary 
can find a useful pair of messages a,/3 with probability 2""?, ask for a signature on a and use that 
to forge a signature on (5 by asking 2'^ queries 1^1 

Defining the usefulness condition. This proof strategy rests of course on the ability to 
find an appropriate condition "a is useful for /?" for every one-time signature scheme S. This is 
what we describe now. For now, we will assume that only the key generation algorithm of S is 
probabilistic, and that both the signing and verification algorithms are deterministic0 For every 
fixed randomness for the generation algorithm, fixed oracle, and a message a, we define G, Sa and 
Va to be the sets of queries (resp.) made by the generation, signing, and verification algorithms 
where the last two are applied on the message a. 

First attempt. Observe that in the hash-and-sign variant of Lamport's scheme, a and (3 have 
the same signature if = Vp. This motivates stipulating for every signature scheme that a is 
useful for /? if Vg C Va- This definition satisfies Property (A) above: if we know all the queries 
that the verifier will make on a signature of /3, then finding a signature that makes it accept can 
be done by an exponential-time exhaustive search that does not make any oracle queries at all. 
The problem is that it might not satisfy (B): it's easy to make the verifier ask, when verifying a 
signature for a, a query that uniquely depends on a, thus ensuring ^ for every distinct a, (3. 

^The actual adversary we'll show will operate by asking poly(g)2'' queries, and it succeeds with probability almost 
1, see the proof of Theorem 14. II 

''We study the randomized verifier in Section [6.31 but assuming that the signer is deterministic is without loss of 
generality. That is because the key generator can give, through the secret key, a secret seed s to the signer, and the 
signer would use 0{s,a) as the randomness needed to sign the message a. 
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Second attempt. A natural intuition is that verifier queries that do not correspond to queries 
made by the generation algorithm are sort of "irrelevant" — after all, in Lamport's scheme all the 
queries the verifier makes are a subset of the queries made by the generation algorithm. Thus, we 
might try to define that a is useful for /? if R G C Fq. Since G has at most q queries, and so at 
most 2"? subsets, this definition satisfies Property (B) since if a and /? are randomly chosen from 
a set of size 2'' then a will be useful for /? with probability at least 2"^'^. Unfortunately, it does 
not satisfy Property (A): there is a signature scheme for which every pair of messages a, /3 satisfies 
this condition even when a signature for a cannot be used to forge a signature on /jjfl 



Our actual condition. The condition we actually use, roughly speaking, is that a is useful for 
/3 if 

n (G u 5„) c . (1) 

Using Bollobas's Inequality |Bol65j (see the proof of Claim l47f|) it can be shown that the condition 
([1]) satisfies Property (B). It's less obvious why it satisfies Property (A) — to see this we need to 
see how our adversary will operate. The high level description of our attack is as follows: 

1. Input: Key Generation. The adversary receives the verification key VK. 

2. Request Signature. Choose a ^ (3 <— {0, 1}" at random, and get ctq-, the signature of a. 

3. Learning Oracle Queries. Run Ver(yi^, q, cJq,) to learn the set Va of oracle queries that it 
asks and their answers. (Later we will modify this step somewhat, and ask some more oracle 
queries.) 

4. Sampling a Possible Transcript. Conditioned on knowing VK^aa^ and answers of Va, 
guess: the value of SK, the sets G and Sa, and their answers. Let SK, G, and Sa be the 
guesses. 

5. Forging. Sign the message /? by using SK and sticking to the oracle answers guessed for 
queries in G U 5'q, to get a^. That is, if we wanted to ask a an oracle query in GU Sa, use the 
guessed answer, and otherwise ask the real oracle O. Output cr^. 

Note that the queries for which we might have guessed a wrong answer are in the set {GuSa)\Va, 
because we did the guesses conditioned on knowing Va and its answers. Suppose that during the 
verification of (/3, ajj), none of these queries is asked from the oracle (i.e. Vgn (Gu5q) C Va)- Then 
we can pretend that our guesses were correct. That is, because the answers to different queries of 
random oracle are independent, as far as the verifier is concerned our guesses could be right, and 
hence by definition, the verification of (/3, cr^) must accept with probability 1. 

The description of the attack above shows that a similar condition to the condition ([1]), namely 

VfsniGU Sa) C Va , (2) 

has Property (A). But condition ([2]) might not have Property (B). We cope with this by ensuring 
that the attacker has sufficient information so that (essentially) whenever ([T]) happens, ([2]) also 

*Such an example can be obtained by the variant of Lamport's scheme where each signer uses the verification 
key VK to sign a new verification key VK' (the randomness for which is part of the secret key), and then signs 
the message using the secret key corresponding to VK'. In this case Va D G = V/j H G for every pair a,/3, even if a 
signature on a cannot be used to compute a signature on (3. 
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happens. This is accomphshed by learning more oracle queries before making the guesses. Namely, 
we learn all the queries that are in the set G D Sa with some noticeable probability (conditioned 
on what we know about them). We then use a careful hybrid argument (that involves the most 
technical part of the proof) to show that after performing this learning, the condition ([2]) occurs 
with probability at least as large as the probability that ^ occurs (up to some lower order terms) . 
Thus our actual usefulness condition will be ([2]), though for the complete definition of the sets G, Sa 
involved in it, one needs to go into the details of the proof of Theorem 14. ip . 

3 Preliminaries 

3.1 Basic Probability Facts 

We recall some simple but useful well known facts and definitions about random variables. 

Definition 3.1. The statistical distance of two finite random variables X, Y, denoted by SD(X, Y), 
is defined to be i I = a] - Pr[y = a]\. 

Lemma 3.2. If A,B are random variables, and the event E is defined over Supp(^) U Supp(i?) 
(where Supp(X) denotes the support of the random variable X), then \Vi[E{A)] — Y'i[E{B)]\ < 
SD{A,B). 

Lemma 3.3. If the random variable A' is a function of random variable A, and the random variable 
B' is a function of B, then SD{A',B') < SD{A,B). 

Lemma 3.4. // the event E is defined over the random variable A, and the event D is defined over 
the random variable B, and we have SD{A \ E,B \ D) = 0, then SD{A, B) < {Pt[E] +Pr[L'])/2. 

By Un we mean the uniformly distributed random variable over n-bit strings. 

3.2 Signature Schemes in Oracle Models 

We define the notion of one-time signature schemes and their black-box security. We specialize our 
definition to the case that the signature schemes use an oracle O that may also be chosen from 
some probability distribution. We use the standard notation A^{x) to denote the output of an 
algorithm A on input x with access to oracle O. 

Definition 3.5. An oracle signature scheme (with perfect completeness) for n bit messages is a 
triple of oracle algorithms (Gen, Sign, Ver) (where Gen could be probabilistic) with the following 
property: for every oracle O, if {SK,VK) is a pair that is output by Gen'^(l") with positive 
probability, then for every a £ {0,1}"', \/er'~^{VK,a,S\gn'^{SK,a)) = 1. We call SK the signing 
key and VK the verification key. 

One can also make a relaxed requirement that the verification algorithm only needs to accept 
valid signatures with probability 0.9 (where this probability is over the verifier's coins only). We 
say that such relaxed signature schemes have imperfect completeness, and we will consider such 
schemes in Section 16.31 If the oracle algorithms of the Definition 13.51 run in polynomial-time, then 
we call the signature scheme efficient. Note that we consider (not necessarily efficient) signature 
algorithms on a finite set of messages. For upper bounds (i.e., positive results) one would want 
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uniform efficient algorithms that could handle any size of message, but for a lower bound (i.e., a 
negative result), this simpler definition will do. 

So far, we did not say anything about the security. In the following definition we specify the 
"game" in which the adversary participates and tries to break the system and give a quantitative 
measure for the security. 

Definition 3.6. For every 5" E N, the oracle signature scheme (Gen, Sign, Ver) is a one-time signa- 
ture scheme with black-box security S, if for every message a G {0, 1}", 1 < T < S, and adversary 
algorithm A that makes at most T queries to its oracle, Pr\\/er(yK,a* ,a*) = 1 where {a*, a*) = 
A^{VK,S\gn^{SK,a)) and a* ^ a] < f , where {SK,VK) = Gen^(l"), and this probability is 
over the coins of all algorithms (Gen, Sign, Ver, and A), and the choice of the oracle O. 

This is a slightly weaker definition of security than the standard definition, since we are not 
allowing the adversary to choose the message a based on the public key. However, this is again fine 
for lower bounds (the known upper bounds do satisfy the stronger definition). Also, some texts use 
1/5 (rather than T/S) as the bound on the success probability. Security according to either one of 
these definitions is always at most quadratically related, but we feel Definition 13.61 is more precise. 

In a non-black-box proof of security, the running time of the adversary is utilized in order to 
prove the security of the system: 

Definition 3.7. For every S gN, the oracle signature scheme (Gen, Sign, Ver) is a one-time signa- 
ture scheme with non-black-box security S, if for every message a G {0, 1}", T < S, and adversary 
algorithm At that makes at most T oracle queries and runs in time poly(n, T), Pr[Ver(yi^, q*, a*) = 
1 where {a*, a*) = A^{VK,S\gn^{SK,a)) and a* ^ a] < |, where {SK,VK) = Gen^(l"), and 
this probability is over the coins of all algorithms (Gen, Sign, Ver, and Ax), and the choice of the 
oracle O. 

Oracles. In this work, as for the oracle signature schemes, we only use one of the following oracles: 
(1) The random oracle returns on input x S {0, 1}" the value f{x) where / is a random function 
from {0,1}" to {0, Ij^lfl (2) The random permutation oracle returns on input x G {0,1}"" the 
value f{x) where / is a random permutation on {0, 1}". (3) The ideal cipher oracle with message 
length n, returns on input {k,x,d) where k G {0,1}*, x G {0,1}*^ and d G {F, B}, fkix) if d = F 
and fi^^{x) if d = B, where for every k G {0, 1}*, fk is a random permutation on {0, 1}". These 
three oracles are standard idealizations of (respectively) hash functions, one-way permutations, and 
block ciphers (see also Section [7]) . 

4 Proof of the main result 

Theorem 4.1. Let (Gen, Sign, Ver) be a one-time oracle signature scheme (with perfect complete- 
ness) in random oracle model for the space of messages Ai in which the total number of oracle 

queries asked by Gen, Sign, and Ver is at most q, and \M\ > ''(^ . Then there is a (computation- 

q^( ''2) 1 5 q 

ally unbounded) adversary which asks at most 0{ ) = ) oracle queries and breaks the 

scheme with probability 1 — {X -\- S). This probability is over the randomness of the oracle as well 
as the coin tosses of the key generation algorithm and the adversary. 

®More generally, / can be a function from n to £{n) for some function £ : N — > N, but using standard padding 
arguments we may assume £{n) = n. 
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Theorem 14.11 implies Theorem 11.11 via the following corollary: 

Corollary 4.2. Let (Gen, Sign, Ver) he a one-time oracle signature for the messages M = {0, 1}" in 
the random oracle model in which the total queries asked by the scheme is at most q where q < n, 
then there is an adversary asking 2^^^"^^^^*^ queries breaking the scheme with probability at least 
1 — o(l) and at least 0.49 for any q > 1. 

Proof Let 6 = \ = ^^jl'^ = Q^q'^l'^) = o(l), so we have \M\ = 2"" > 2i = (^^J/A. Therefore 
we get an adversary asking 0(g3-5(JJ) = 0(^329) = 2(i+°(i))9 queries breaking the scheme with 
probability 1 — o(l). Thus the black-box security of the scheme is at most by '^^1^°^^^-^'' = 2^^'^°^^'^'^'' . 

For any q > 1, \ can be as small as (q) = 1/2, and by taking 6 = 0.01 the success probability 
win be at least 0.49. □ 

We now turn to proving Theorem 14. 1[ Let (Gen, Sign, Ver) be as in the theorem's statement. 
We assume that only Gen is probabilistic, and Sign and Ver are deterministic. We also assume 
that all the oracle queries are of length i. Since we assume the signature has perfect completeness, 
these assumptions can be easily shown to be without loss of generality. (In the case of imperfect 
completeness the verifier algorithm is inherently probabilistic; this case is studied in Section [6.31 ) 
We will show an adversary that breaks the signature system with probability 1 — (A + 0{6)), which 
implies Theorem 14. II by simply changing 6 to 6/c for some constant c. 

The adversary's algorithm. Our adversary Adv wih operate as follows: 

Input: Key generation. The adversary receives a verification key VK, where {VK,SK) = 
Gen(l"). 

( '' ) 

Step 1: Request signature. Let (3o, . . . , Pn-i denote the first = distinct messages (in 
lexicographic order) in Ai. Let • • • i ctN-i be a random permutation of /3o, • • • , f^N-i- Adv 
asks for a signature on oq and verifies it (note that oq is chosen independently of the public 
key). We denote the obtained signature by ctq, and we denote by Tq the transcript of the 
algorithms run so far, which includes the random tape of the key generation algorithm, all 
the queries made by the key generation, signing, and verification algorithms, and the answers 
to these queries. So Tq completely describes the running of the algorithms so far. (Note that 
Adv only has partial information on Tq.) 

Step 2: Learning query /answer pairs. We denote by Lq the information that Adv currently 
has on the oracle O and the randomness of the generation algorithm: that is, Lq consists of 
VK, (To and the queries made by the verifying algorithm Ver on input VK, aQ, along with the 
answers to these queries. Let e = and M = ^ = For i = 1, . . . , M, do the following: 

1. Let Dj_i be the distribution of Tq, the transcript of the first step, conditioned on only 
knowing Lj_i. 

2. We let Q{Li^i) denote the queries appearing in Lj_i. If there exists a string x E 
{0, lY\Q{Li-i) that is queried with probability at least e in Dj, then Adv lets Li be Lj_i 
concatenated with the query/answer pair {xi,0{xi)), where Xi is the lexicographically 
first such string. Otherwise, Li = Lj-i. 
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Step 3: Sampling a possible transcript. Adv generates a random transcript Tq according to 
the distribution J^m- Note that Tq also determines a secret signing key, which we denote by 
SK {SK may or may not equal the "true" signing key SK). Tq may also determine some 
query /answer pairs that were not in L^, and hence may not agree with the the actual answers 
of the "true" oracle O. We denote by O the oracle that on input x, \i x appears as a query 
in To then 0{x) outputs the corresponding answer, and otherwise 0{x) = 0{x). 

Step 4: Forging. For every j = 1,...,A^ — 1, Adv uses SK and the oracle O to compute a 
signature on the message a^, which it then tries to verify this time using VK and the "true" 
oracle O. Adv outputs the first signature that passes verification. 

Analysis. The number of queries asked during the attack is at most M + qN = + qN < 

= 0{'^-^^^). To analyze the success probability of Adv we will prove the following lemma: 

Lemma 4.3. For every j G [O..A^ — 1], let Vj denote the set of queries made by Adv when verifying 
the signature on aj. Let G and Sq he the sets of queries made by the generation and signing 
algorithms according to the transcript Tq. For every j > 1, let Ej be the event that V^n(Gu5o) ^ Vq. 
Then, 

Pr[\Jj^[i..N-i]Ej] = l-{X + 26) . 

Note that the event Ej corresponds to the condition that "oq is useful for aj" described in 
Section [2l Lemma 14.31 implies Theorem 14.11 since if the event Ej holds then when verifying the 
signature for aj, the verifier never asks a query on which the oracles O and O differ (these oracles 
can differ only on queries in (G U ^o) \ Vq). But if the verifier uses the same oracle O used by the 
generation and signing algorithm, then by the definition of a signature scheme, it must accept the 
signature. 

4.1 Proof of Lemma 14.31 

It turns out that using known combinatorial techniques, one can show that UjEj holds with high 
probability if all signatures and verifications were to use the "true" oracle O and signing key SK (as 
opposed to O and SK). The idea behind the proof is to show this holds in our case using a hybrid 
argument. Specifically, we define four distributions H*^, H^, H^, H'^, where H*^ corresponds to Tq 
joint with all the oracle queries/answers that the adversary gets during the signing and verification 
algorithms on Uj for j > 1 (we call this information the transcript of the experiment), and H'^ 
corresponds to Tq (the real transcript of the first step) joint with the rest of the system's transcript 
if we use the "true" oracle and signing key (so the adversary is not doing anything in generating 
H^). We will prove the lemma by showing that the probability of UjEj is almost the same in all 
these four distributions. 

Definition of hybrid distributions. The four hybrid distributions H°,..,H^ are defined as 
follows: 

H'': This is the distribution of Tq,Ti, . . . ,TAr_i, where Tq denotes the transcript sampled by Adv 
in Step 3, while Tj (for j > 1) denotes the transcript of the j signature (i.e., the queries 
and answers of the signing and verification algorithms on aj) as generated by Adv in Step 4. 
Note that Tq and Tq describe also the running of the key generation while Tj for j > 1 do 
not. 
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H : This is the same distribution as H^, except that now in Step 4 of the attack, the adversary uses 
the modified oracle O for both signing and verifying the signatures on ai, . . . , otv-i (recall 
that in H'' the oracle O is only used for signing). 

H^: This is the same distribution as H^, except that we make a slight modification in the definition 
of O: for every query x that was asked by the generation, signing, and verification algorithms 
in the Input step and Step 1 (i.e., for every query in Tq), we answer with 0{x) only if x also 
appears in Lm- Otherwise, we answer this query with a completely random value. Note that 
all the queries of the verification are in Lq and so in Lm as well. In other words, O agrees 
with O on all the queries that Adv has asked from O till the end of Step 2, and all the others 
are answered completely at random. 

H^: This is the same distribution as the previous ones, with the difference that Tq is chosen equal 
to To (and so, there is no point in neither Step 2 of the attack nor defining O anymore). In 
other words, this is the transcript (randomness and all query/answer pairs) of the following 
experiment: (1) Generate signing and verification keys {SK,VK) using a random oracle O 
(2) for j = . . . N — 1, sign aj and verify the signature using SK, VK and O. 

Note that the hybrid distributions H* are over the coin tosses of the oracle, the key generation 
algorithm, and the adversary. Lemma 14.31 follows immediately from the following claims: 

Claim 4.4. Prno [Uj>i£;j] = Prni [Uj>i£;j]. 

Claim 4.5. SD(H\h2) < 25. Thus, Vt^i[\J j>iE j] > PTii2[Uj>iEj] - 26. 
Claim 4.6. = Thus, PTii2[Uj>iEj] = Fi-ti3[Uj>iEj]. 

Claim 4.7. Prii:i[Uj>iEj] > 1 - A. 



4.2 Proof of Claims \4M to IITI 

We now complete the proof of Lemma 14.31 by proving Claims 14.41 to 14.71 
Claim 1131 (Restated). FTiio[Uj>iEj] = Prni [Uj^i-E^]. 

Proof. Suppose we sample the hybrid distributions H*^ and using the same oracle O, same 
randomness for key generation, and the same randomness for the adversary. Then it is easy to see 
that for any j, the event Ej holds for H'' iff it holds for and so is the event Uj>iEj. This shows 
that the probability of Uj>iEj happening in both distributions is the same. □ 

Claim mS] (Restated). SD(H\h2) < 26. Thus, Friii[Llj>iEj] > PrH2[Uj>i^j] - 26. 

Proof. Let B be the event that Adv asks a query in Q{Tq) \ Q{Lm), where Q{Tq) denotes the 
queries in the transcript Tq. It is easy to see that conditioned on B doesn't happen and are 
identically distributed. That is because if we use the same randomness for key generation, oracle 
and the adversary in the sampling of and H^, conditioned on B not happening (in both of 
them), the value of and is equal. In particular it shows that the probability of of B is the 
same in both distributions. Therefore the statistical distance between and is bounded by 
the probability of B. In the following, we show that Prjj2[i?] < 26. In the the following all the 
probabilities will be in the experiment for H^. 
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Let e,5 and M be as in Step 2 of Adv: e = and M = ^. We start by showing: Ft[C] < 6 
where the event C is defined as 

C : 3x ^ Q{Lm) that is obtained in Da/ with prob > e 

and Dj is defined, as in Step 2 of Adv to be the distribution of the transcript of the first signature 
conditioned on the information in Lj. 

Proof of Pr[C] < 5. For every possible query x to the random oracle, let qx denote 
the probability, taken over both the random oracle and the randomness used by Gen 
and Adv, that x is queried when generating a key and then signing and verifying uq. 
Then Ylx^^ < 9 (*) since this sum is the expected number of queries in this process. 
Let Px denote the probability that x is learned at some iteration of Step 2. Then, 
Qx ^ ^Px (**)• Indeed, if Ai is the event that x is learned at the i iteration, then 
since these events are disjoint qx = Pr[x is queried] > YldLi Pr[x is queried | Ai] Pr[Aj]. 
But by definition of the learning process , Pr[x is queried | Ai] > e and hence qx > 
eEi^iPi'[^i] = ePx- But the event C only occurs if M distinct queries are learned in 
Step 2. Hence, if it happens with probability more than 6 then the expected number 
of queries learned, which is YlxPx^ is larger than 6M. Yet combining (*) and (**), we 
get that 6M < J2xP'-^ — ^x^^l^ — contradicting the fact that M = q/{e6). □ 

Now we will show that Fr[B \ ^C] < 6, and it means that Pi[B] > Pr[^C] Pr[B \ ^C] > 
(1 — 6)'^ > 1 — 26. Note that Adv makes all its operations in Step 4 based solely on the information 
in Lm, and the answers chosen for queries Q{Tq)\Q{Lm) does not affect it (because even if queries 
in Q{Tq)\Q{Lm) are asked by Adv, they will be answered at random). So, it means that the value 
of is independent of Tq, conditioned on knowing Lm- Thus, instead of thinking of Tq being 
chosen first, then Lm computed and then all queries of Step 4 being performed, we can think of 
Lm being chosen first, then Adv runs Step 4 based on Lm to sample H^, and then Tq is chosen 
conditioned on Lm and H^. But because of the independence of Tq and conditioned on Lm-, 
the distribution of Tq conditioned on Lm and is that conditioned on only Lm which has the 
distribution D^/. Now assume that Lm makes the event -iC happen (note that C is defined by 
Lm-)- Since at most qN queries are made in Step 4, and C has not happened, when Tq is chosen 
from Djv/, the probability that Q{Tq) \ Q{Lm) contains one of these queries is at most eqN = 5. 
Therefore we get Pt[B \ ^C] < 6, and Pi[B] < 26. □ 

Claim IM] (Restated). ee Thus, PrH2 [Uj>i£'j] = PrH3[Uj>i£^j]. 

Proof. In the sampling of H'^ we can think of Lm being chosen first (although not needed), and 
then Tq being chosen conditioned on Lm (i-e., from the distribution D^,/), and then Step 4 of the 
experiment is done while any query in Q{Lm) U Q{Tq) is answered according to Lm,Tq, and any 
other query is answered randomly. (That is we sample Lm and Tq in the reverse order.) The point 
is that during the sampling process of we are also doing exactly the same thing. Again, we 
sample Lm first. Then Tq is chosen from the distribution 'Dm- Then Step 4 is done while any 
query in Q{Lm) U Q(Tq) is answered according to Lm,Tq, and all other queries (even the ones in 
Q{Tq)\Q{Lm)) are answered randomly. Therefore and have the same distribution. □ 

Claim 1121 (Restated). Prns [Uj>i£;j] > 1 - A. 
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Proof. We will prove that this holds for every fixed oracle and randomness of all parties, as long as 
the permutation oq, . . . , a^-i is chosen at random. For every fixing of the oracle and randomness 
and j £ [0..N — 1], let Uj = G U Sj^. denote the set of queries made by either the key generation 
algorithm or the signing algorithm for message and let Vj be the set of queries made by the 
verification algorithm while verifying this signature. The proof will follow from this fact: 

Combinatorial Lemma: If C/i, . . . , Uk, Vi, ■ ■ ■ , Vk are subsets of some universe satisfying \Ui\ + 
\Vi\ < q and UiPiVj (^Vi for every i / j then K < (^^2) • 

The Combinatorial Lemma immediately implies Claim l4?7l Indeed, for every i,j with i ^ j, 
define the event Eij to hold if UiCiVj C Vi. Then, there must be at least N — (^^J^) = N{1 — A) 
number of i's (i.e., 1 — A fraction of them) such that Eij holds for some j (otherwise we could remove 
all such i's and obtain a larger than (^^'j^-sized family contradicting the combinatorial Lemma). 
But, if we choose a permutation ao, . • • , (Xm-i such that oq = Pi for such an i then the event UjEj 
holds. 

Thus, all that is left is to prove is the combinatorial lemma. It essentially follows from Bollobas's 
Inequality [Bol65j . but we repeat the argument here. Assume for the sake of contradiction that 
there is a family Ui, . . . , Uk, Vi, . . . , Vk satisfying conditions of the lemma with K > (^Jg) ■ First, 
we can remove any elements from Ui that are also in Vi, since it will not hurt any of the conditions. 
It means that now we have: for every C/j H V^- = iff i = j. Now, take a random ordering of 
the universe W = IJi(^i U Vi), and let Ai be the event that all the members of Ui occur before the 
members of V in this order. The probability of Ai is = 1/('^'|'J]^'') > l/(|y,|) > 1/(5/2)- 

Hence ii K > (g/2)' there is a positive probability that both Ai and Aj hold for some i 7^ j. But 
it is not hard to see that in that case, either Ui and Vj are disjoint or Uj and Vi are disjoint, 
contradicting our hypothesis. □ 

5 A One-Time Signature Scheme 

The following Theorem shows that Theorem 11.11 is tight up to a constant factor in the number of 
queries. 

Theorem 5.1. There is a one-time signature scheme (Gen, Sign, Ver) for messages {0,1}*, using 
a total of q queries to a random oracle that has security 2(*^-'^^2^°(^))'J, where o(l) is a term tending 
to with q. 

Proof. The scheme is basically Lamport's Scheme |Lam79j with two changes: (1) we use a more ef- 
ficient anti-chain (family of incomparable sets) than Lamport's scheme (a well-known optimization) 
and (2) we use a secret "salt" value for the hash function to prevent a birthday attack. 

The Scheme Description. Let c = (3 — \/5)/2 and k be such that (1 + c)k + 4 = g. 

• Generate the keys by choosing k random strings Xi G {0, 1}*^^* for < i < k — 1, and an 
additional random string z G {0,1}^''. The secret key consists of these values, and the 
public key is 0{xi), . . . , 0(2;^), 0{z). 

• Let h{a) be the first log (^^) bits of 0{z,a), which we identify with a c/c-sized subset of 
0, . . . , — 1. The signature of a consists of {xi^i^hf^a) aiid the string z. 

^"if we choose all of them from {0, 1}'' the scheme is still as secure as we claimed, but now the analysis is simpler. 
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• To verify a signature, we first verify that 0{z) is equal to its alleged value, then we ask 0{z, a) 
to know h{a), and then we ask ck more queries to check that the released strings are indeed 
preimages of the corresponding entries of the public key indexed by h{a). 

The number of queries is q = (1 + c)k + 4, while, as we will see, the security is at least 
= 2(^^W-°(i))'= = 2'"'i'+°'"" > 2("-8i2-o{i))<? where H{-) is the Shannon entropy function. 

Let T be the total number of oracle queries asked by the adversary and a / /3 be (in order) the 
message for which she asks a signature and the message for which she tries to forge a signature. 
We assume without loss of generality that T < 2*~^, because 2*~^ S> Qj^). We divide the winning 
cases for the adversary into three cases: 

1. The adversary chooses some z' G {0, l}^'^,z' / z such that 0{z) = 0{z'), alleged to be the 
real z in the signature of /?. 

2. The adversary uses the real z in the signature of (3 and h{a) = h{f3). 

3. The adversary uses the real z in the signature of j3 and h{a) ^ h{j3). 

We will show that the probability that the adversary wins conditioned on being in case 3 is 
at most 0(T/(^^)), and the probability that either case 1 or case 2 happens at all is also at most 
0(T/Q)). So, the total probability of winning for the adversary will be at most 0(T/(^^,)) as well. 

In case 1, even if we reveal z to the adversary in the first place (xj's are irrelevant), she has the 
chance of at most (1 + r)/2^ to find some z' ^ z such that 0{z) = 0{z'). That is because she gets 
to know at most T oracle query/answer pairs (other than {z,0{z))), and the probability that she 
gets 0{z) in one of them is at most T/2'^. If she does not see 0{z) as an oracle answer, she needs 
to guess z' blindly which succeeds with probability at most 1/2*. 

In the case 2, we reveal all x^'s to the adversary at the beginning, although they are indeed 
irrelevant to finding a pair a ^ (3 such that h{a) = h{(3) (because they are of length < 2q). Before 
the adversary gives us a, it asks at most T queries of length 2q. So, the probability that she 
gets some z' G {0, l}^? such that 0{z') = 0{z) is at most T/229 = o{T/{^^). Let assume that 
this has not happened. So, we can pretend that when we receive a, the value of z is chosen at 
random different from the members of {0, 1}^'' that are asked from the oracle by Adv. Thus, the 
probability that any adversary's query so far with length more than 2q has the prefix z will be 
at most T/(2« - T) < r/2«-i = 0{T/{^^). It means that with probability 1 - 0(r/(^^^)), so far 
were no query asked from the oracle which has z as prefix. Assuming this is the case, when we 
ask the query (z, a) from the oracle, /i(a) is chosen uniformly at random from {0, 1}'°^ (cfc). Hence, 
if the adversary asks T more oracle queries of the form (z, 7) where 7 7^ a, one of them will give 
^1(7) = h{a) with probability at most T/[^j^, and if it does not happen for any of them, a blind 
guess [3 by the adversary will give h{a) = h{f3) with probability l/(g^)- So, the probability of 
getting a 7^ /3, h{a) = h{f3) for the adversary is at most 0(7"/ (cfc))- 

In the case 3, there always is some i G h{f5)\h{a). We choose the smallest such i, call it iq, 
and change the game slightly by revealing z to Adv from the beginning and revealing all Xj's for 
j ^ io to the her after she gives us /3. It only might increases her chance of success (although 
they are irrelevant because they have different length). For any fixed i G 0, . . . , A; — 1, we show 
that the probability of the adversary to find a preimage for 0{xi) conditioned on i = io is at most 
(T + l)/2*+*° < (r + l)/2'^ (which is necessary for her to win), and then by the union bound, the 
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probability of success for the adversary in this case will be at most k{T + l)/29 = 0{T/{^^)). The 
reason is that the adversary can ask at most T oracle queries after we reveal in order to find a 
preimage for O(xjg) . The probability that for one of the queries x among these T queries she asks 
we have 0{xi) = 0{x) is at most (T)/2''"'"*o, and when it does not happen, the adversary has to 
guess a preimage for 0{xi) blindly, which will be correct with probability 1/2'^'^^". 

□ 

The constant c in the description of the scheme maximizes (^^) , conditioned on g ~ (l+c)A;. The 
same ideas show that whenever n < dq where d ~ 0.812 is obtained as above {d = H{c)/{\ + c)), 
then there is a one-time signature scheme for messages {0, 1}" that makes only q queries and 
achieved security exponential in the length of its queries. 

6 Extensions 

Now we prove several extensions of Theorem 11.11 
6.1 Other oracles 

Using minor changes to the proof of Theorem 14.11 we can get a similar lower bound for signature 
schemes based on the ideal cipher or a random permutation oracles. This is important as these 
oracles are also sometimes used to model highly efficient symmetric-crypto primitives, and so it is 
an interesting question whether such oracles can be used to construct signatures more efficiently. 

Theorem 6.1. Let O be either the ideal cipher oracle. Then, for every one-time signature scheme 
for messages {0, 1}" using a total of q < n/4 queries to O there is an adversary making 2^^~°^^^^'^ 
oracle queries that breaks the scheme with probability 1 — o(l), where o(l) denotes a term tending 
to with q. In case of O being the random permutation oracle, only q < n/2 is needed to get and 
adversary asking 2^^^°^^^-''' queries, breaking the scheme with probability 1 — o(l). 

Proof. We explain the proof for the ideal cipher oracle. Extending the proof for the random 
permutation oracle is straightforward. 

We change both the signature scheme and the oracle for the sake of the analysis. We let the new 
oracle O' be the same as O except that O' does not answer queries of the form {k, x, d) whenever 
\x\ < 2{q + logg). Instead it answers queries of the type {k,n) where n < 2(g + logq), to which it 
returns the long string containing the concatenation of 0{k,x, F) for x G {0, 1}". 

We change the signature scheme to get a new scheme (Gen', Sign', Ver') as follows: (1) use O' 
instead of O and (2) whenever an algorithm makes a query {k, x, d) and obtains an answer y, it 
will also make the "redundant" query (k,y,d) (where d = B if d = F and vice versa). Note that 
the total number of queries of the new scheme is at most q' = 2q. 

Lemma 6.2. Given the scheme (Gen', Sign', Ver'), there is an adversary Adv making at most 
Po\y{q')2'^ queries from O' that breaks the scheme with probability 1 — o(l). 

Lemma 16.21 implies Theorem 16.11 since any such adversary can be implemented using the oracle 
O with at most a q^2^'^ factor increase in the number of queries, and the total number of queries 
win be poly(g')25'g2229 = 2(4-°(i))9. 
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Proof. The description of the attack remains basically the same as that of Theorem 14.11 set by 
parameters in Corollary 14.21 (i.e. N = 2'^,X = 5 = 0{q~^^'^)), and we have the same distributions 
11*^,11^,11^,11^ as before. However, there are some minor changes as follows: 

• During Step 2 of the attack, whenever learn a query, we add both the query and its dual to 
Li. 

• During Step 4 of the attach we might discover an inconsistency between the guesses we made 
in the sampled transcript Tq and the answers we receive from the oracle O. That is, we might 
get the same answer for two different plain texts with the same key. However, as we will see 
this will only happen with small probability, and we ignore this case safely. . 

• The definition of needs to change a little. Namely, in the experiment for the distribution 

, during the signing and verification of ai, . . . , ajy, whenever we make a new non-redundant 
query {k, x, d), we look at all queries of the form {k, ■, d) appearing either in the transcript of 
the system so far (i.e. Tq, Ti, . . . ) or in the learned queries of Lm- Then we choose a random 
answer y from the set of unused answers and use it as the oracle answer for {k,x,d). The 
next redundant query {k,y,d) is simply answered by x. 

The differences between the proof in this case and the proof of Theorem 14.11 are the following: 

• We need to include the condition in the event Ej that the queries made in the j**" signing 
and verification are consistent with (the key generation part of) the transcript Tq in the sense 
that they do not specify two queries {k, x, d), {k, x' ,d), x ^ x' which map to the same answer 
y. The consistency condition guarantees (by definition) that if Ej occurs, then the verifier 
will accept the signature. 

The combinatorial condition Vj^\(Gi^ Sq) C Vq still guarantees that the verification does 
not ask any query for which we have guessed the answer 

We can still prove that Prjio[3j£'j] = Prjji [3j£'j] using basically the same proof as in 
Claim 14. 4i We just have to note that as long as Ej happens in both experiments, there 
is no way to distinguish their j^^ signing and verification, and the consistency also happens 
either in both or in none of them, s 

• We again show SD(H^, H^) = o(l). The reason is that the difference between the distributions 

and is due to some events which happen with probability o(l). That is there are 
events in the experiments of sampling and which happen with probability o(l) and 
conditioned on they not happening, and H-^ have the same distribution. 

— Similar to Claim [431 one of the differences between the distributions H^,H^ might be 
because of Adv asking a query in Q{Tq) \ Q{Lm)- Because of the same analysis given in 
the proof of Claim [431 the probability that we ask any such query (in both experiments) 
is at most 25 = o(l). So, in the following we assume that this case does not happen. 

^^This also guarantees that there is no inconsistency between the j verification and the transcript To, but later 
we will show that the total consistency happens with good probability 
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— In experiment of sampling H^, when a new non-redundant query {k,x,d) is asked in 
the 1 < i*^ signing or verification, the returned answer y might be equal to a guessed 
answer for a query (k,x',d) of Tq (we call this event Fi), but it is never equal to the 
answer of a query (k, x" , d) G Q{Tq) \ Q{Lm)- The situation for is the reverse: On a 
new non-redundant query (/c, x, d) during the 1 < i*^ signing or verification, the answer 
is never equal to a guessed answer for a query {k,x',d) in Tq, but it might be equal to 
the answer of a query {k,x",d) £ Q{To) \ Q{Lm) (we call this event F2). Note that 
(H^ I ^Fi) = (H^ I ^^2). As we wih see, Pv[Fi] = o(l) for i = 1,2 which shows that 
SD(H1,H2) = 0(1). 

The reason for Pr[Fi] = o(l) is that whenever we have a new non-redundant query 
in the 1 < i^^ signing or verification, its answer is chosen from a set of size at least 
q22'2q — which might hit a guessed answer for a query in Tq with probability at most 
g'/((7^2^'? — q'2'' ) = o(l). The same argument holds for Pr[F2] = o(l). 

• Claim 14.61 still holds with the similar proof because of the way we defined for the case of 
ideal cipher. 

• Claim 14.71 is still correct with the same proof. Note that all the signing and verifications are 
consistent. 



□ 

A similar and simpler proof works for the case of a random permutation oracle. In this case, 
we again change the oracle by merging small queries into a single query with a huge answer, but 
we don't have the issue of adding "dual" queries, and therefore the condition q < n/2 (rather than 
q < n/4) is enough to get an adversary who breaks the scheme with probability 1 — o(l) by asking 
2(2-o(i))g queries (rather than 2(''-°(i))9 queries). □ 



6.2 Implementing Adversary in BPP^^. 

If the signature scheme is efficient, using an NP oracle, our adversary can run in time poly(n, 2'^), 
where n is the length of messages to be signedQ That is, we prove the following lemma: 



Lemma 6.3. // the signature scheme is efficient, the adversary of the proof of Theorem \4-l\ can be 
implemented in poly(n,2'^) time using an oracle to an 'NP-complete problem. 

Lemma 16.31 can be interpreted as saying that a non-black-box proof of security for a signature 
scheme more efficient than the lower bounds provided by Theorem 14.11 will necessarily imply a proof 
that P 7^ NP. 

The only place in which the adversary uses its unbounded computational power is in Step 2 where 
it chooses Xi to be the lexicographically first unlearned string in {0, 1}^ such that Xi is queried in 
Dj with probability at least e, and in Step 3 when it samples a random Tq from 'Dm- 
We show that: 



^■^In general, the security parameter could be different from the length of the messages n. For example, in Section[5] 
the security parameter was q (so the security was 2^'''), and the running time of the algorithms was poly(n, q). Here, 
for simplicity, we assume that £ — poly(n), and all the algorithms' queries are of length I. 
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• Using an NP oracle, we can sample from a distribution in expected poly(n, 2'^) time such 
that SD(D^, Dj) < e, where e is as defined in Step 2. 

• Using the sampler, we can implement the adversary in poly(n, 2'^) time with similar success 
probability. 

We first show how to use a D- sampler to implement the adversary efficiently and then will 
show how to sample from efficiently using an NP oracle. 

Efficient adversary using a Dj approximate-sampler. So, here we assume that we can 
sample efficiently from a distribution D- such that SD(D^,Dj) < e. In order to choose Xi in the 
i^^ step of the learning phase, we do the following. Let m = (/ + logM — log(^)/e^. We sample m 
times from D- to get D^^ . . . , Then we choose Xi to be the lexicographically first unlearned 
query (i.e. not in Lj_i) which appears in at least 2e fraction of (5(D^)'s. 

Claim 6.4. With probability at least 1 — 5 we get the following: For every x G {0, 1}', and every 
l<i<M: 

1. //Pr[x € Q(Dj)] > 3e, then x appears in more than 2e fraction of Q{Dl) 's. 

2. //Pr[x G Q(Di)] < e, then x appears in less than 2e fraction of Q{Dj) 's. 

If the event above happens, it means that the learning algorithm learns all the 3e-heavy queries 
in its M rounds with probability at least 1—6 (using the same argument as before). Therefore we get 
a weaker, yet strong enough, version of Claim saving that the SD(H^, H^) < 36 + 6 + S = o{S). 

The Claim 16.41 follows from the Chernoff bound. The probability that any specific x violates 
the claim's condition in any of the rounds is at most e""*"^ < 2"'"'^ = 2~'~^°§^"^+'°§''. By union 
bound, the probability that the event is not violated at most M2'2"'"^°s A^+iog5 ^ ^_ 

Sampling efficiently using an NP oracle. Note that Lj which captures our knowledge 
of the system after the i*^ round of the learning phase can be encoded with poly(n, 2"^) bits. The 
number of random bits used by the adversary till the end of the i^^ round of the learning phase is 
also poly(n, 2^). For some technical reason which will be clear later, we add the randomness used by 
the adversary to the description of Lj. Similarly, any (possible) transcript D which Pr[Dj = D] > 
can be represented with poly(n, q) < poly(n, 2^) bits. In the following we always assume that such 
encodings are used to represent Lj and D. 

In order to sample from a distribution close to Dj we use the following Lemma: 

Lemma 6.5. There is a function f : {0,1}* x {0,1}* N which is efficiently computable (i.e. 
time poly(n, 2'') with the following properties: 

1. f{Li,D) = [cP[Di = D]\ for some constant c depending on Li. So we have f{Li,D) = if 
Pr[Di = D]=0. 

2. f{Li,D) > 10/e whenever Pr[D = D] > where e is as defined in Step 2. 
Before proving the lemma, we see how it is used. 
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Corollary 6.6. We can sample from a distribution D- such that SD(Dj, D-) < e in time poly(n, 2"^) 
(where the time poly (n, 2*^) is independent of i for 1 <i < M). 

Proof. Let Wi = {{D,j) | 1 < j < f{Li, D)} be the set of "witnesses" for Li, where / is the function 
in Lemma l6.5[ Lemma 16.51 shows that the relation R = {{Li,w) \ w G Wi} is an NP relation. It 
is known [BGPOOj that for any NP relation, there is a witness-sampling algorithm that given any 
X, samples one of the witnesses of x uniformly in expected poly(|a:;|) time. Therefore, we sample a 
random w = {D,j) such that w G Wi m expected poly(n, 2'?)-time, and output D. It is easy to that 
the distribution D- of our output has statistical distance at most e from the distribution Di. □ 

Proof. (Lemma 16. 5p Recall that Dj is the distribution of transcripts Tq conditioned on the infor- 
mation given in Lj. Let the event E{Li) be the event that during the running of the system (and 
our attack) adversary's knowledge about the system and its randomness after the i^^ round of the 
learning is what Li denotes. Similarly, let E{D) be the event that D = Tq is the case in our 
experiment. Thus, for every transcript D, Pr[Dj = D] = Vt[E[D) \ E[Li)]. If we could compute 
Vt[E[D) I £'(Lj)], we could somehow use it in the Lemma 16.51 but instead of doing that, we will 
rather compute Vt[E{D) AS(Lj)] which is proportional to VT:[E{D)\E[Li)] up to a constant factor 
depending on Lj, and will scale it up to some big integer. 

Given Li and D, in order to compute Y'i[E[D) A E[Li)], we track the whole experiment from 
the beginning in the following order: 

• Key Generation 

• Signing oq 

• The attack (which includes the verification of ao as its first step) to the end of the i*^ round 
of the Learning. 

At any moment that some coin tossing is involved (i.e. in the key generation algorithm, in the 
attack, or fin an oracle answer), the result is determined by the description of Li and D. Thus, we 
can calculate the probability that given values of Lj and D will be the ones in the real running of the 
experiment!^. More quantitatively, during the simulation of the experiment, we receive any specific 
oracle answer with probability at least 2~' whenever it is a possible answer and the probability of 
getting a specific random tape for the key generation and the adversary is at least 2~P°^y("'^''). Since 
the total probability of Vt[E[D) A E{Li)] is the multiplication of all those probabilities that we get 
during the simulation of the system, and because the number of oracle queries that we examine 
is at most 2'^('')^ ^e get Y>i[E{D) A E{Li)] > 2-P°iy("'2'') whenever Pv[E{D) A E{Li)] / 0. Note 
that e in the attack is 2~^^'^\ Therefore, for a big enough constant c = poly(n,2'^), the function 
f{Li, D) = \ c'Pi[E{D) A E{Li)\\ is computable in time poly(n, 2'^) and we have /(Lj, D) > 10/e as 
well. □ 

6.3 Handling imperfect completeness 

While the typical definition of a signature scheme stipulates that a valid signature (generated by 
the signing algorithm with the correct key) should be accepted with probability one, it makes sense 

^^For the case of ideal cipher or random permutation oracles, we need to keep track of the oracle answers so far 
during the simulation of the experiment, in order to know what is that probability of receiving a specific answer from 
the oracle at any point. 
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to consider (especially in the context of negative results) also signatures where the verifier may 
reject such signatures with small probability, say 1/10. We are able to extend our result to this 
case as well: 

Theorem 6.7. For every one-time signature scheme for messages {0, l}", accepting correct signa- 
tures with probability at least 0.9 (over the randomness of the verifier), and asking a total q < v^/20 
queries to a random oracle, there is (1) an adversary making 2(^"'"°(^))'? queries that breaks the 
scheme with probability at least 2""^ and (2) an adversary making 2^^'^ ^ oracle queries that breaks 
the scheme with constant probability. 

The proof of part (1) is a straightforward extension of the proof of Theorem 14.11 and so we 
bring here the proof of part (2): 

Lemma 6.8. For every one-time signature scheme with imperfect completeness (i.e., verifier can 
reject valid signatures with probability at most 1/10 over its coins) there is an adversary asking iP^'^ ^ 
queries that finds with probability 1 — o(l) a message/signature pair which passes the verification 
with probability at least 0.7. 

Proof. The main difference between the proof of this lemma compared to that of Theorem 14.11 is 
the way we define the sets Vj^s. They are not simply the queries that the verifications ask from 
the oracle. For sake of analysis, for every j, we define the set Vj to be the set computed by the 
following process: run the j*^ verification algorithm on the generated message/signature pair m = 
times (for m to be defined later), and let Vj be the set of queries that appeared in at least a l/(20g) 
fraction of these verifications. Hence, we have |V^ | < 20q^. Note that the definition of Vj depends 
on the oracle used to do the verifications. We will treat the sets V^'s in the analysis similar to 
what we did to them with their previous definition. So, we define the new parameter r = 20q^ to 
the upper bound on |G| + \Sj\ + \ Vj\, while q is still an upper bound for |G| + jS'jl. As we will 
see, the proof will be similar to that of Theorem 14.11 and the parameters are set similar to those 

of Corollary 1121 N = T\\ = 6 = ^ = 9{r-^/^) = e{l/q),m = 20^^^ e = = ^. Other 

than the parameters, the differences compared to the previous attack are: 

1. When obtaining the signature do in Step 1, we run the verification algorithm m times and 
record in Lq all the resulting query/answer pairs. 

2. In Step 4 we test times each generated message/signature pair and output the first signature 
that passes the verification at least a 0.75 fraction of these q^ times. 

We also define the set Uj to be the set of queries that the j^^ verification asks from the oracle 
with probability at least l/{10q) over its own randomness after we fix the random oracle. Hence 
we have \Uj\ < 10*7^ 

We say that Ej holds if (as before) Vj (G U Sq) H Vq. We also say that the event E holds if 
Uj C Vj for every j. 

Claim 6.9. // Ej A E holds, then the j"* signature will be accepted by the verifier with probability 
at least 0.9 — 0.1 = 0.8 over the randomness of the verifier. 

The probability 0.7 could be substituted by any constant less than 0.9 with changing the constants in the proof. 
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Proof. The only way this won't happen is that with probabiHty at least 1/10, the verifier makes a 
query in the (at most g-sized) set G U 5o \ Vq. But if this happens, then there is a query in that 
set that is queried first with probability at least l/(10g), yet because E holds that means that it 
will be contained in Uj C Vj, contradicting Ej. □ 

For any specific 1 < j < A^, by Chernoff bound, the probability that the fraction of times that 
we accept the generated signature for aj is 0.05 far from its real probability of being accepted by 
the verifier is at most e"''''^^ and by union bound, the probability that it happens for some j is 
at most 2209 e-'' /^oo = o(l). Now suppose Ej A E holds for some j = jo- So by Claim [6T3l fistly 
we will output a pair of message and signature, and secondly this pair is accepted by the verifier 
with probability at least 0.7. 

Claim 6.10. We have Pr[E] > 1 - o(l). 

Proof. By the Chernoff bound, the probability that a particular member of Uj is not in Vj is at most 

union bound over the members of Uj, and j we have Pr[(2) fails for some j] < 
10g22205%-209' =o(l). □ 

Now that we know E holds almost always, it only remains to show that with high probability Ej 
happens for some j. This time we define the four hybrid distributions H^, H^, H^, a bit different. 
Instead of putting in H* the query/answer pairs that we received during one verification, we put 
in H* all such pairs that we get at some point during the m times that we run the verification. 

The proofs of Claims I4.4H4.7I also work basically in the same way as before: 

• Claim still holds with the same proof. 

• Claim 14.51 still holds with the same proof because of the new smaller value of e that we used. 

• Claim still holds with the same proof. 

• Claim 14.71 is still correct with the same proof because the condition q < -y/n/20 guarantees 
that there is enough room to choose < 2" different messages in the attack. 

So, our adversary asks at most Nmq + M + Nq'^ = poly(g)2^' = 2'^^'^^) queries, and with 
probability 1 — o(l) finds a pair of message/signature passing the verification with probability at 
least 0.7. □ 

We note that the combination of all the above extensions holds as well (e.g., we can implement 
in BPP^^ an adversary that breaks any signature scheme with imperfect completeness that is 
based on the ideal cipher). 



6.4 Efficiency of the verifier 

Because the signing and verification algorithms are run more often than the key generation, lower 
bounds on their own efficiency is still meaningful. In Section [5] we saw that the signing algorithm 
can be very efficient while the total number of queries was almost optimal. Here we show that if 
we want to get an efficient verifier and exponential security at the same time, it makes the total 
number of queries to be inefficient. 
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Theorem 6.11. For every one-time signature scheme for messages Ai with total q oracle queries 

(1) 

where, if the verification asks at most v, v < q/2 oracle queries and > then there is an 

adversary asking at most 0{ ) queries that breaks the scheme with probability at least 1 — X — 6. 

Before going over the proof note that for any v,k £ N, where 3 < w < | (i.e. 1 < v — 2 < k 
where v + k + 2 = q) the scheme of Section [5] can be simply changed to get a new scheme in 
which the verifier asks v queries by reveahng v — 2 sized subsets of Xj's as the signature rather 
than ck sized ones. A similar proof to that of Theorem 15.11 shows that this new scheme has 
security ^^((^^2)) ~ v = dq for constant d, the maximum security S one 

can get by asking at most v = q/d queries in verification and q queries totally is bounded as 
^(3rT)(l - - 0(1) < < H{^) + 0(1) where H{-) is the Shannon's entropy function and 
0(1) goes to zero with q. 

Proof. (Theorem 16. lip The proof is almost the same as that of Theorem 14. li The only difference 
is in Claim BTTl in which we have a restriction that \Vj\ < v, and we conclude that K < (^). 
The only difference in the proof of Claim 14.71 is that now the event Ai has probability at least 
jjWw. = l/C^i'jr^') ^ ^ because . < q/2. □ 

7 Lower bounds on black-box constructions 

In a construction for signature schemes, one might use a standard primitive (e.g., one way function) 
rather than one with ideal security (e.g., random function). These constructions could have different 
levels of "black-boxness" discussed thoroughly in |RTV04] . What we will call black-box, is called 
fully black-box in [ RTV04j . Here we give a more quantitative definition of such constructions. 
For simplicity we only define the black-box constructions of signature schemes from hard one-way 
functions, and the others are similar. After giving the formal definitions we will prove strong lower 
bounds on the efficiency of signature schemes from symmetric primitives when the construction is 
black-box. 

Definition 7.1. Let denote the set of all functions /: {0, 1}^ {0, 1}^ over i bits. We call a 
family of functions {fg \ i £ N, fg £ Fi}, s-hard (to invert), if for any probabilistic algorithm A 
running in time at most s(£), we have Pr^^^|o^i}£ [vl(/(x)) £ f~^{f{x))] < where the probability 
is over the choice of x and the coin tosses of A. 

By S-hard functions, for a set of functions S, we mean all those which are s-hard for some 
s £ S. (Think of S as the set of all the functions which are super-polynomial, quasi-polynomial, or 
exponential etc..) So, we will keep the notation that the capital S denotes a set of functions. 

For simplicity we use n, the length of the messages to be signed, as the security parameter of 
the signature scheme (i.e, the efficient schemes will run in time poly(n) and for larger values of n 
the scheme becomes more secure). 

Definition 7.2. A black-box construction of one-time signature schemes for n-bit messages from 
S-hard one-way functions, with security parameter contraction i{n) is made of the following two 
families of reductions for all n € N: 

• The implementation reduction / = (Gen, Sign, Ver) has three components which are algo- 
rithms running in time poly(n) (Gen is probabilistic) and = (Gen-^, Sign-'^, Ver-'^) satisfies in 
Definition 13.51 by setting O = / for any / £ . 
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• We call A a I ■I' -breaker if ^ is a (not necessarily efficient) adversary who breaks the security 
of /■^ with non-negligible probability over its own randomness by playing in the game defined 
in Definition 13. 6[ The security reduction R is an algorithm running in time t{n) where: (1): 
For any / G and any /^-breaker A, PT.^^^^o^^Y(n) [R'^'f{f{x)) € /"^(/(j;))] > ^ where 
the probability is over the choice of x and the coin tosses of R and A, (2): t{n)p{n) < s{i{n)) 
for any p{n) = poly(n), any s(-) G S and and large enough n, and (3): w{n) < s{£{n)) for 
any s € S and large enough n. 

The security parameter contraction factor i{n) in Definition [7]2] measures how small the length of 
the function used in the reduction is (i.e., the security parameter of the primitive used) compared to 
n (i.e., the security parameter of the signature scheme). The term "security parameter expansion" 
is used in [HHRSOT] for the inverse of the contraction parameter. 

Note that having such a reduction, the existence of any efficiently computable family of functions 
/: {0,1}^ — > {0,1}^ which is s-hard to invert for some s S S* implies the existence of (efficient) 
one-time signature schemes which are secure against polynomial-time adversaries. That is because 

(1) : We get an efficient implementation of the scheme by efficiently implementing / for I-^, and 

(2) : If ^ is a I-^ -breaker running in time poly(n), the reduction R combined with its subroutine A 
breaks the s-hardness of / which is not possible. 

Now we prove a strong lower bound on the efficiency of signature schemes relying on the 
efficiency of strong one-way functions. Then we will show how it generalizes to any symmetric 
primitive and also functions with many hard-core bits. 

Theorem 7.3. Let E denote the set of functions E = {f{i) \ f = 2^^^)}. Any black-box construc- 
tion of one-time signature schemes for n-big messages from E-hard one-way functions with security 
parameter contraction i(n) needs to ask mm(Q{i{n)),n) queries from the one-way function. 

Before going over the proof we make two observations. First, if construction uses iiJ-hard 
functions, it means that we should have t{n) = 2°(^(")) and w{n) = 2~°(^("') in the security reduction. 
Another point is that the existence of such a reduction regardless of how many queries it asks, 
makes i{n) to be a;(logn) for otherwise the condition t(n)poly(n) < s{i{n)) in Definition 17.21 will 
be violated. Therefore without loss of generality, we assume that q > logn, because otherwise we 
can ask logn redundant queries in the key generation algorithm without changing the condition 
q < min(r2(^(n)), n). 

Proof. For sake of contradiction suppose that there is a black-box construction of signature schemes 
(/, R) where / asks q < n queries from the one-way function and logn < q = o{i{n)). 

The proof will go in two steps. We will first show that any such construction results in a 
(computationally unbounded) adversary asking 2°*-^^ queries from a a random function / <— F£ 
and inverting it on a random point with probability at least 2"°*^^^ (where this probability is also 
over the choice of /). Then we will show that it is not possible to have such an adversary, namely 
any adversary asking 2^/^ queries has chance of at most 2~^/^ for doing so. 

Step 1. Let A be the adversary of Corollarv 14.21 for the implementation of the signature scheme 
/ (note q < n) asking at most 2^^^°^^^^°^^^"^^ queries from the function / (note q < o{i{n)) and 
breaking /-^ with probability at least 1 — o(l) when / is chosen at random / <— ^ -^^(n) where o(l) 
goes to zero with q. For large enough £{n), n becomes large enough too, and so does q (because 
q > logn). Therefore A asks at most 2°^^^"'^^ queries from / and breaks the scheme with probability 
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at least 3/4 when / <— for large enough i{n). By an average argument, with probability at 
least 1/2 over the choice of f, A breaks I-^ with probability at least 1/2 over its own randomness. We 
call such /'s the good ones. Whenever / is good, R^^ inverts / on a random point with probability 
at least 2^°(^("')), and because / is good with probability at least 1/2, R'^'f inverts / on a random 
point with probability at least 2~°(^(")) for a randomly chosen / <— ^ -^^^{n) where the probability is 
over the choice of /, the choice of the image to be inverted, and the randomness of A. By merging 
the code of R with A, we get an adversary B = R^ who asks at most 2°(^("))2°(^(")) = 2°(^(")) 
queries from / <— and inverts it on a random point (i.e., y = f{x) for x {0, 1}^(")) with 
probability at least 2-°(^(")). 

Step 2. Suppose B is an adversary asking 2^^^ queries from a random function / <— Fi trying to 
find a preimage for f{x) where x <— {0, 1}^. We can pretend that the value of / at each point is 
determined at random whenever it is asked for the first time. So, at first x is chosen, f{x) is chosen, 
and it is given to B. At first B does not have any information about x, so the probability that B 
asks X in any of its 2^/3 

queries is at most 2 Assuming it does not ask x, the probability that B 

receives the answer f{y) = f{x) by asking any y 7^ x is at most 2~^^/^. Assuming that none of the 
mentioned events happens, if it outputs y differen from all queries it has asked from /, f{y) = f{x) 
happens with probability 2~^. So its chance of winning is at most 2~'^^/^ + 2~^^/^ + 2~^ < 2~^/^ 
(for £>4). 

□ 

As it is clear from the theorem, our lower bound becomes stronger for larger values of i{n) 
which is also the case in the similar (unconditional) lower bound results |HHRS07| IWeeOT] . 

In order to extend the lower bound to other symmetric primitives (and functions with many 
hard-core bits) we can follow the same steps of the proof of Theorem 17.31 using the following lemma. 

Lemma 7.4. Let P be a symmetric primitive (i.e, one-way function, one-way permutation, collision 
resistent hash function, pesudorandom generator, pseodorandom function, message authentication 
code, or block cipher) , or the primitive of functions f : {0,1}^ {0,1}^ with £/2 hard-core bits. 
Then, there is an implementation for P for security parameter i with access to either, random 
oracle, random permutation oracle, or ideal cipher oracle which asks only a constant number of 
queries of length 9{i) from the oracle, and any (computationally unbounded) adversary Adv who 
asks at most 2°^^^ queries from the oracle has chance of at most 2^^^^^ of breaking it (over the 
randomness of Adv and the oracle used). 

Proof. We will describe the natural implementations and will show the proof of security only for 
the case that P is the primitive of functions with i/2 hard-core bits. The security proofs for other 
implementations are also easy to get (in fact, we already gave the proof for the case of one-way 
function in the proof of Theorem 17. 3p . 

• One-way function using random oracle: To define the value of the function / on input 
X G {0, 1}^, we simply use the oracle's answer: f{x) = 0{x). 

• One-way permutation using random permutation oracle: To define the value of the per- 
mutation p on input x G {0, 1}^, we simply use the oracle's answer: p{x) = 0{x). 

• Collision resistent hash function using random oracle: The value of the hash function h 
on input x G {0, 1}^ is made by using the first £/2 bits of the oracle's answer: h{x) = 61 ... 6^/2 
where 0{x) = bi . . .b^. 
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• Pseudorandom generator using random oracle: The stretched output of the generator g 
on input x G {0, 1}^ is the output of the oracle on the padded query: g{x) = 0{x\Q^). 

• Pseudorandom function using random oracle: Using the key k G {0, 1}^ on input x € 
{0, 1}^, the output of the function will be the first I bits of the oracle's answer on the query 
made by attaching k and x: fk{x) = bi . . .bi where 0{k\x) = bi . . . b2e- 

• Message Authentication Code using random oracle: Using the key k G {0, 1}^, the 
authentication code of the message x G {0, 1}^ is defined similar to that of pseudorandom 
function. The verification is clear. 

• Block cipher using ideal cipher oracle: Using the key k G {0, 1}^ and the input x G {0, 1}^, 
and the direction d we simply use the oracle's answer 0{k,x,d) as our cipher. 

• Function with i/2 hard-core bits using random oracle: The value of the function / on 
input X = xi . . . xg uses the oracle's answer: f{x) = 0{x) and the hard-core bits for x will be 
the first ^/2 bits of it: HC{x) = xi . . . Xii2- 

Now we prove the claim for the last primitive (i.e., functions with H./2 hard-core bits). Suppose 
the adversary A asks at most 2^^^ queries from the function /. Again, we assume that / chooses 
its answers randomly whenever asked for the first time. In order to break the hard-core property 
of the function /, the adversary A needs to distinguish between two experiments. In the first one 
she is given (/(x), Put, and in the second one she is given {f{x),HC{x)), and in both 

of the experiments / <— and x <— {0, 1}^ are chosen at random. Note that as long as A does 
not ask x from the oracle, the two experiments are the same. At the beginning A does not knows 
the second half of the bits of x. So the probability that she asks x from the oracle in one of her 2^/4 
queries is at most 2^^^2~^^'^ = 2~^/^. Hence, if the probability that she outputs 1 in the experiment 
i is Pi (for 1 < i < 2), we have \pi — P2I < 2~^/^. 

□ 

So by using Lemma [7. 41 and following the steps of the proof of Theorem 1 7. 3 1 we get the following 
theorem: 

Theorem 7.5. Let E denote the set of functions E = {f{i) \ f = 2^'^^-'}, and P be either a sym- 
metric primitive or the primitive of functions with i/2 hard-core bits. Any black-box construction of 
one-time signature schemes for n-bit messages from an E-hard primitive P with security parameter 
contraction £{n) needs to ask min(i7(£(n)), n/4) queries from the primitive P. 

8 Conclusions and open questions 

We believe that lower bounds of this form — the efficiency of constructing various schemes using 
black box idealized primitives — can give us important information on the efficiency and optimality 
of various constructions. In particular, three natural questions related to this work are: 

• Can one pinpoint more precisely the optimal number of queries in the construction of one- 
time signature schemes based on random oracles? In particular, perhaps our lower bound can 
be improved to show that the variant of Lamport's scheme given in Section [5] is optimal up 
to lower order terms. 
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• What is the threshold d that whenever n < dq, we can get signature schemes for messages 
{0, 1}" using q oracle queries, and arbitrary large security? Again, it seems that the variant 
of Lamport's scheme given in Section [5] (working for log (^^) bit messages without hashing) 
gives this threshold (i.e., d « 0.812). 

• Can we obtain a 2'^(«) -query attack succeeding with high probability against signature schemes 
with imperfect completeness? 

• Are there stronger bounds for general (not one-time) signatures? A plausible conjecture is 
that obtaining a T-time signature with black-box security S requires r2(logriog5') queries. 



Acknowledgements: We thank David Xiao for useful discussions. 
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